[英]Rails Prepared Statement with select_all
據我所知,應該可以在Rails中執行以下操作:
ActiveRecord::Base.connection.select_all("SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=$1 AND created<=$2 GROUP BY month ORDER BY month ASC",nil,[['created',1],['created',2]])
但遺憾的是,這根本不起作用。 無論我嘗試使用什么格式, $1
和$2
都不會被綁定數組中的相應值替換。
還有什么我應該照顧的嗎?
您應該在模型中使用sanitize_sql_array
,如下所示:
r = self.sanitize_sql_array(["SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=? AND created<=? GROUP BY month ORDER BY month ASC", created1, created2])
self.connection.select_all r
這可以保護您免受SQL注入。
由於您沒有使用命名綁定,您可以這樣做。 這適用於Rails 4.2。
ActiveRecord::Base.connection.select_all(
"SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=$1 AND created<=$2 GROUP BY month ORDER BY month ASC",
nil,
[[nil,'2016-01-01 12:30'],[nil,'2016-01-01 15:30']]
)
我不明白你是否在嘗試使用變量,但是對變量來說很容易,你錯誤地使用了變量
像這樣使用它:
ActiveRecord::Base.connection.select_all("SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=#{v1} AND created<=#{v2} GROUP BY month ORDER BY month ASC",nil,[['created',1],['created',2]])
其中v1和v2是變量。 如果你正在嘗試別的東西,請告訴我
謝謝
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.